Inside The ToolShell Campaign

SUMMARY :

FortiGuard Labs has identified a new exploit chain called 'ToolShell' targeting on-premises Microsoft SharePoint servers. This attack combines two previously patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706) with two zero-day variants (CVE-2025-53770 and CVE-2025-53771) to achieve remote code execution. The campaign uses sophisticated tools like GhostWebShell, a fileless ASP.NET web shell for remote access, and KeySiphon, which collects system information and application secrets. Active exploitation demonstrates SharePoint's status as a high-value target and the rapid weaponization of vulnerabilities. FortiGuard Labs has released protective measures and recommends swift patching, layered security, and thorough log review to mitigate risks.

OPENCTI LABELS :

fileless,remote code execution,zero-day,ghostwebshell,sharepoint,cve-2025-53771,cve-2025-53770,toolshell,cve-2025-49704,cve-2025-49706,keysiphon,exploit chain


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Inside The ToolShell Campaign